LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-04-2010, 11:26 AM   #1
Aatifali
LQ Newbie
 
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3

Rep: Reputation: 0
Prevent user bypassing DansGuardian


I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well

Filtering = Dansguardian 2.10 running on port 3128

LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)

As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS

IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN

Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128

Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted

One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.

Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.

Thanks in advance
 
Old 05-04-2010, 12:51 PM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,469

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Quote:
Originally Posted by Aatifali View Post
I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well

Filtering = Dansguardian 2.10 running on port 3128

LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)

As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS

IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN

Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128

Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted

One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.

Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.

Thanks in advance
First, this is not 'urgent' for anyone here. We volunteer our time, so if you need **URGENT** support, use a distro that you pay for, and they'll be there for you.

And if I'm understanding what you wrote...your proxy is working fine...except when you bypass it? Yep...that sounds about right. If you don't want people to get out, block any other path.
 
0 members found this post helpful.
Old 05-04-2010, 03:30 PM   #3
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Your network currently looks like:

Code:
 Sys.   Sys.   Sys.  Proxy   Gateway
  []     []     []     []     []
[    ] [    ] [    ] [    ] [    ]
   |______|______|______|_____|

Figure 1: All systems on either the same segments, or multiple switched segments.
A solution could be:

Code:
 Sys.   Sys.   Sys.  Proxy   Gateway
  []     []     []     []     []
[    ] [    ] [    ] [    ] [    ]
   |______|______|____|  |_____|

Figure 2: Two segments are coming from Proxy and are used to provide an exclusive tunnel.
It is left as an exercise to the reader to come up with other ways of making this work, or implement this at will.
 
Old 05-05-2010, 02:55 AM   #4
Aatifali
LQ Newbie
 
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3

Original Poster
Rep: Reputation: 0
Dear All,
Thanks for your help and assistance, Next time I will be careful about “URGENT”
The scenario here is

I need to provide internet access to our users transparently as they don't need to know about the proxy address. We have a router in place, through which I am accessing internet. Now I need to provide filtered internet to all of our users in the following way

[Internet]

| [Router/Gateway]
|
| [Squid/Dansguardian]
|
| [Client PCs]


PCs PCs PCs Proxy(Squid+Dansguardian) Gateway(Router)
[] [] [] [] []
[ ] [ ] [ ] [ ] [ ]
|______|_________|________________|___________________|


All are well connected with switches on a same segment.
Client PC's only has the access on Squid machine to get the internet. I want to do some magic with IP tables that the web traffic goes through DansGuardian---> Squid for filtration purpose. Remaining POP and SMTP traffic route through gateway without any interception.

Hope above will clear the situation and requirements

Once again thanks in advance
 
Old 05-06-2010, 08:10 AM   #5
Aatifali
LQ Newbie
 
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks guys
I think i was unable to demonstrate my problem, But finally I got the solution


http://ubuntuforums.org/archive/index.php/t-479407.html
 
  


Reply

Tags
dansguardian, ip, proxy, squid, tables, transparent


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Dansguardian allow user to bypass with password viper3two Linux - Software 5 10-14-2012 04:24 PM
user bypassing demo restrictions qwertyjjj Linux - Security 15 01-19-2010 08:23 PM
dansguardian log user name instead of ip jatender Linux - Server 0 08-16-2007 04:58 AM
QUESTION: DansGuardian and User Authentecation eech55 Linux - Software 3 02-02-2005 10:21 AM
First time user needs help with bypassing a start up screen. aNi-DiFrAnCo Linux - Newbie 27 07-23-2004 07:41 PM


All times are GMT -5. The time now is 03:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration